Integrating an ACS (TACACS+) server to Authenticate AWMS Users

NOTE: As of AWMS 7.0, ACS 5.0 is not supported. This condition may have changed in a later version of AirWave.

To authenticate AWMS (AMP) users using a Cisco ACS (TACACS+) RADIUS server use the following steps:

NOTE: This is for authenticating users to access the AMP server, not for end users accessing APs.

On the ACS (TACACS+) server:

1.Go to the Interface Configuration page and click on the TACACS+ link2. Under New Services enter:

Service: AMPProtocol: https<Submit>

(***Note: these are case sensitive***)

3.Go to the Group Setup page4. Edit Settings for each user group that applies5. Check "AMP https"6. Check "Custom attributes" and enter a role in the box provided of the form

role=<name_of_amp_role>

Example:

role=DormMonitoring

***PLEASE NOTE: In AMP 6.3 and earlier the default administrator role was called "AMP Administration". In 6.4 fresh installs this role was changed to be called "Admin." All other properties and permissions are the same, and no other roles were changed. ***

7. Go to the Network Configuration page 8. Under "AAA Clients": <Add Entry>9. Enter the hostname and IP address of the AMP and provide a shared key or secret. For "Authenticate Using" select TACACS+. <Submit>10. Go to the User Setup page and add users to the Group.

1.On TACACS+: Reports and Activity > "Failed attempts" and "Passed Authentication" shows failed and successful auth attempts.2. From the AMP command line do a tcpdump of all the traffic between AMP and the TACACS+ server:

# tcpdump host <address_of_tacacs>

3. The roundtrip from AMP to TACACS+ to authenticate users can be very slow. To improve responsiveness for AMP users, be sure to keep the AMP's authorization lifetime setting reasonably high (AMP Setup > General page; last item in General section).